Ryan et al.:
Congrats on Extension:LDAP_Authentication, You're doing some great work here.
Our systems are: - FreeBSD 6.x / amd64 - OpenLDAP 2.3.4x - Apache 2.3 - PHP 5.2.5 - WM 1.11.0 from Ports
- TLS works - Proxy User works - I've managed to make things work with our non-standard LDAP tree
So far the only problems that I've encountered
- "Proxy Agent" is ambiguous and even misleading. If you look at something like PADL PAM_LDAP or NSS_LDAP, they simply refer to these as "bindpw" and "bindcn" -- or even a better name is "MetaUser" since LDAP as a whole is ambiguous as to what constitutes a user or identity (a DN).
- WRT groups, It isn't entirely clear which settings control which group a UID=/CN= must be a member of (PADL calls this $pam_groupdn) v.s. how meta-group member _WITHIN_ media-wiki is determined (PADL call it $nss_base_group)
- $wgLDAPProxyAgentPassword isn't accepting a proper SHA1+Base64'd password -- I've resorted to storing it in cleartext. Will debug later.
- $wgLDAPRetrievePrefs isn't documented well -- or it is defaulting to off. It should say/document something like "Enable to extract CN attribute / value pairs from LDAP"
- It is not entirely clear how other mediawiki settings not defined in the posixAccount or inetOrgPerson foundation ObjectClasses for things such as Skins and Editing preferences should be stored (semi-overlapping entries in the SQL database side?)
I will examine these closer during the day today.
~BAS
PS. On that topic of LDAP<->MW prefs, it might be recommended to use a wiki table to map SQL columns in mediawiki.wmuser SQL table to LDAP attributes!
wikidb-# \d mediawiki.mwuser;
Table "mediawiki.mwuser" Column | Type | Modifiers --------------------------+--------------------------+------------------------------------------------------------------ user_id | integer | not null default nextval('mediawiki.user_user_id_seq'::regclass) user_name | text | not null user_real_name | text | user_password | text | user_newpassword | text | user_newpass_time | timestamp with time zone | user_token | character(32) | user_email | text | user_email_token | character(32) | user_email_token_expires | timestamp with time zone | user_email_authenticated | timestamp with time zone | user_options | text | user_touched | timestamp with time zone | user_registration | timestamp with time zone | user_editcount | integer | Indexes: "mwuser_pkey" PRIMARY KEY, btree (user_id) "mwuser_user_name_key" UNIQUE, btree (user_name) "user_email_token_idx" btree (user_email_token)